{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:44:49Z","timestamp":1760060689679,"version":"build-2065373602"},"reference-count":25,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2025,9,18]],"date-time":"2025-09-18T00:00:00Z","timestamp":1758153600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Research Council of Norway through the CORESIM (Context-Based Real-Time OT-IT Systems Integrity Management) project","award":["344244"],"award-info":[{"award-number":["344244"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Over the last 15 years, cyberattacks have moved from attacking IT systems to targeted attacks on Operational Technology (OT) systems, also known as Cyber\u2013Physical Systems (CPS). The first targeted OT cyberattack was Stuxnet in 2010, at which time the term Advanced Persistent Threat (APT) appeared. An APT often refers to a sophisticated two-stage cyberattack requiring an extensive reconnaissance period before executing the actual attack. Following Stuxnet, a sizable number of APTs have been discovered and documented. APTs are difficult to detect due to the many steps involved, the large number of attacker capabilities that are in use, and the timeline. Such attacks are carried out over an extended time period, sometimes spanning several years, which means that they cannot be recognized using signatures, anomalies, or similar patterns. APTs require detection capabilities beyond what current detection paradigms are capable of, such as behavior-based, signature-based, protocol-based, or other types of Intrusion Detection and Prevention Systems (IDS\/IPS). This paper describes steps towards improving the detection of APTs by means of APT group digital fingerprints. An APT group fingerprint is a digital representation of the attacker\u2019s capabilities, their relations and dependencies, and their technical implementation for an APT group. The fingerprint is represented as a directed graph, which models the relationships between the relevant capabilities. This paper describes part of the analysis behind establishing the APT group digital fingerprint for the Russian Cyberspace Operations Group - Sandworm.<\/jats:p>","DOI":"10.3390\/info16090811","type":"journal-article","created":{"date-parts":[[2025,9,18]],"date-time":"2025-09-18T12:24:25Z","timestamp":1758198265000},"page":"811","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Improving Detectability of Advanced Persistent Threats (APT) by Use of APT Group Digital Fingerprints"],"prefix":"10.3390","volume":"16","author":[{"given":"Laszlo","family":"Erdodi","sequence":"first","affiliation":[{"name":"Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, Norwegian University of Science and Technology, 2815 Gj\u00f8vik, Norway"},{"name":"Department of Informatics, The Faculty of Mathematics and Natural Sciences, University of Oslo, 0315 Oslo, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Doney","family":"Abraham","sequence":"additional","affiliation":[{"name":"Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, Norwegian University of Science and Technology, 2815 Gj\u00f8vik, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1897-5132","authenticated-orcid":false,"given":"Siv Hilde","family":"Houmb","sequence":"additional","affiliation":[{"name":"Department of Information Security and Communication Technology, Faculty of Information Technology and Electrical Engineering, Norwegian University of Science and Technology, 2815 Gj\u00f8vik, Norway"},{"name":"Norwegian Defence Cyber Academy, Norwegian Defence University College, 2617 Lillehammmer, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,9,18]]},"reference":[{"unstructured":"IEEE Spectrum (2013, February 04). The Real Story of STUXNET. Available online: https:\/\/spectrum.ieee.org\/the-real-story-of-stuxnet.","key":"ref_1"},{"unstructured":"NATO Standardization Office (NSO) (2020, January 06). AJP-3.20 Allied Joint Doctrine for Cyberspace Operations. NATO Standard, Edition A Version 1, Available online: https:\/\/assets.publishing.service.gov.uk\/media\/5f086ec4d3bf7f2bef137675\/doctrine_nato_cyberspace_operations_ajp_3_20_1_.pdf.","key":"ref_2"},{"unstructured":"Ahlberg, C. (2019). Moving Toward a Security Intelligence Program. The Threat Intelligence Handbook, CyberEdge Group LLC. [2nd ed.].","key":"ref_3"},{"unstructured":"IBM Security (2025, July 12). Cost of a Data Breach Report. Available online: https:\/\/tinyurl.com\/ypbk4m2m.","key":"ref_4"},{"unstructured":"International Electrotechnical Commission (2016). IEC 60870-5-104:2006+AMD1:2016 CSV, Telecontrol Equipment and Systems\u2013Part 5-104: Transmission Protocols\u2013Network Access for IEC 60870-5-101 Using Standard Transport Profiles, IEC. [2.1].","key":"ref_5"},{"unstructured":"Defense Use Case (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid, Electricity Information Sharing and Analysis Center (E-ISAC).","key":"ref_6"},{"unstructured":"Lipovsk\u00fd, R., and Cherepanov, A. (2022). Industroyer2: The Return of the Most Powerful Industrial Malware, ESET Research. Available online: https:\/\/www.welivesecurity.com\/2022\/04\/12\/industroyer2-industroyer-reloaded\/.","key":"ref_7"},{"unstructured":"Dragos Inc. (2017). CRASHOVERRIDE: Analyzing the Malware that Attacks Power Grids, Dragos Inc.. Available online: https:\/\/www.dragos.com\/resources\/whitepaper\/crashoverride-analyzing-the-malware-that-attacks-power-grids\/.","key":"ref_8"},{"unstructured":"International Electrotechnical Commission (IEC) (2024). IEC 61850:2024 SER Communication Networks and Systems for Power Utility Automation\u2014All Parts, IEC. Available online: https:\/\/webstore.iec.ch\/publication\/6028.","key":"ref_9"},{"doi-asserted-by":"crossref","unstructured":"Rashid, M.T.A., Yussof, S., Yusoff, Y., and Ismail, R. (2014, January 18\u201320). A Review of Security Attacks on IEC61850 Substation Automation System Network. Proceedings of the 6th International Conference on Information Technology and Multimedia (ICIMU), Putrajaya, Malaysia.","key":"ref_10","DOI":"10.1109\/ICIMU.2014.7066594"},{"doi-asserted-by":"crossref","unstructured":"Ashraf, S., Shawon, M.H., Khalid, H.M., and Muyeen, S.M. (2021). Denial-of-Service Attack on IEC 61850-Based Substation Automation System: A Crucial Cyber Threat towards Smart Substation Pathways. Sensors, 21.","key":"ref_11","DOI":"10.3390\/s21196415"},{"doi-asserted-by":"crossref","unstructured":"Erd\u0151di, L., Kaliyar, P., Houmb, S.H., Akbarzadeh, A., and Waltoft-Olsen, A.J. (2022, January 23\u201326). Attacking Power Grid Substations: An Experiment Demonstrating How to Attack the SCADA Protocol IEC 60870-5-104. Proceedings of the ARES \u201922: Proceedings of the 17th International Conference on Availability, Reliability and Security, Vienna, Austria.","key":"ref_12","DOI":"10.1145\/3538969.3544475"},{"doi-asserted-by":"crossref","unstructured":"Akbarzadeh, A., Erdodi, L., Houmb, S.H., Soltvedt, T.G., and Muggerud, H.K. (2023). Attacking IEC 61850 Substations by Targeting the PTP Protocol. Electronics, 12.","key":"ref_13","DOI":"10.3390\/electronics12122596"},{"key":"ref_14","first-page":"2675","article-title":"A Comprehensive Survey on Advanced Persistent Threat (APT) Detection Techniques","volume":"80","author":"Krishnapriya","year":"2024","journal-title":"Comput. Mater. Contin."},{"unstructured":"Slick, S.B. (2022). Intelligence in Defense of Democracy, PRP 221, LBJ School of Public Affairs.","key":"ref_15"},{"unstructured":"Slowik, J. (2019). Crashoverride: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack, Dragos, Inc.","key":"ref_16"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"2456","DOI":"10.1109\/COMST.2023.3305468","article-title":"Smart Substation Communications and Cybersecurity: A Comprehensive Survey","volume":"25","author":"Gaspar","year":"2023","journal-title":"IEEE Commun. Surv. Tutor."},{"unstructured":"Pinto, A.D., Dragoni, Y., and Carcano, A. (2018, January 8\u20139). TRITON: The First ICS Cyber Attack on Safety Instrument Systems. Proceedings of the Black Hat USA, Las Vegas, NV, USA.","key":"ref_18"},{"unstructured":"Assante, M.J., and Lee, R.M. (2015). The Industrial Control System Cyber Kill Chain, SANS Institute InfoSec Reading Room.","key":"ref_19"},{"unstructured":"Gady, F.-S., and Stronell, A. (2020). Cyber Capabilities and Multi-Domain Operations in Future High-Intensity Warfare in 2030. Cyber Threats and NATO 2030: Horizon Scanning and Analysis, NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).","key":"ref_20"},{"unstructured":"Lockheed Martin Corporation (2025, July 12). Cyber Kill Chain\u00ae, Available online: https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html.","key":"ref_21"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"2739","DOI":"10.1007\/s10207-024-00856-6","article-title":"Two-stage advanced persistent threat (APT) attack on an IEC 61850 power grid substation","volume":"23","author":"Akbarzadeh","year":"2024","journal-title":"Int. J. Inf. Secur."},{"unstructured":"Abuse, C. (2025, July 12). MalwareBazaar: A Repository for Sharing Malware Samples. Available online: https:\/\/bazaar.abuse.ch.","key":"ref_23"},{"unstructured":"IFE (2022). CybWin\u2014Cybersecurity Platform for Assessment and Training for Critical Infrastructures, Institute for Energy Technology (IFE). Available online: https:\/\/ife.no\/en\/cybwin-project-results\/.","key":"ref_24"},{"unstructured":"NORCE (2022). Drilling and Well Center\u2013Stavanger, Norwegian Research Centre AS (NORCE). Available online: https:\/\/ullrigg.norceresearch.no\/.","key":"ref_25"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/811\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:47:49Z","timestamp":1760035669000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/811"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,18]]},"references-count":25,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["info16090811"],"URL":"https:\/\/doi.org\/10.3390\/info16090811","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,9,18]]}}}